import java.util.List;
import java.util.Map;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.transport.CommonWidget;
import org.onap.portalapp.portal.transport.CommonWidgetMeta;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.support.CollaborateList;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
@RestController
@RequestMapping("/portalApi/search")
public class DashboardSearchResultController extends EPRestrictedBaseController {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardSearchResultController.class);
@RequestMapping(value = "/widgetData", method = RequestMethod.GET, produces = "application/json")
public PortalRestResponse<CommonWidgetMeta> getWidgetData(HttpServletRequest request,
@RequestParam String resourceType) {
- return new PortalRestResponse<CommonWidgetMeta>(PortalRestStatusEnum.OK, "success",
- searchService.getWidgetData(resourceType));
+ if (stringIsNotSafeHtml(resourceType)) {
+ return new PortalRestResponse(PortalRestStatusEnum.ERROR, "resourceType: String string is not valid", "");
+ }
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.getWidgetData(resourceType));
}
/**
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/widgetDataBulk", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> saveWidgetDataBulk(@RequestBody CommonWidgetMeta commonWidgetMeta) {
+ public PortalRestResponse<String> saveWidgetDataBulk(@Valid @RequestBody CommonWidgetMeta commonWidgetMeta) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetDataBulk: argument is {}", commonWidgetMeta);
- if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
- "Category cannot be null or empty");
+ if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Cateogry cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidgetMeta>> constraintViolations = validator.validate(commonWidgetMeta);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
// validate dates
for (CommonWidget cw : commonWidgetMeta.getItems()) {
String err = validateCommonWidget(cw);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.saveWidgetDataBulk(commonWidgetMeta));
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.saveWidgetDataBulk(commonWidgetMeta));
}
/**
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/widgetData", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> saveWidgetData(@RequestBody CommonWidget commonWidget) {
+ public PortalRestResponse<String> saveWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetData: argument is {}", commonWidget);
- if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
- "Cateogry cannot be null or empty");
+ if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
String err = validateCommonWidget(commonWidget);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.saveWidgetData(commonWidget));
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.saveWidgetData(commonWidget));
}
/**
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/deleteData", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> deleteWidgetData(@RequestBody CommonWidget commonWidget) {
+ public PortalRestResponse<String> deleteWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
+ if (commonWidget!=null){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "CommonWidget is not valid");
+ }
logger.debug(EELFLoggerDelegate.debugLogger, "deleteWidgetData: argument is {}", commonWidget);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.deleteWidgetData(commonWidget));
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.deleteWidgetData(commonWidget));
}
/**
if (user == null) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
"searchPortal: User object is null? - check logs",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
} else if (searchString == null || searchString.trim().length() == 0) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is null",
- new HashMap<String, List<SearchResultItem>>());
- } else {
+ new HashMap<>());
+ }else if (stringIsNotSafeHtml(searchString)){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is not valid",
+ new HashMap<>());
+ }else {
logger.debug(EELFLoggerDelegate.debugLogger, "searchPortal: user {}, search string '{}'",
user.getLoginId(), searchString);
Map<String, List<SearchResultItem>> results = searchService.searchResults(user.getLoginId(),
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "searchPortal failed", e);
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage() + " - check logs.",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
}
}
}
}
+ private boolean stringIsNotSafeHtml(String string){
+ SecureString secureString = new SecureString(string);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+ return !constraintViolations.isEmpty();
+ }
+
}
@Test
public void getWidgetDataTest() {
String resourceType = "test";
- PortalRestResponse<CommonWidgetMeta> ecpectedPortalRestResponse = new PortalRestResponse<CommonWidgetMeta>();
+ PortalRestResponse<CommonWidgetMeta> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
}
+ @Test
+ public void getWidgetDataXSSTest() {
+ String resourceType = "\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\"";
+ PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("resourceType: String string is not valid");
+ expectedPortalRestResponse.setResponse("");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ Mockito.when(searchService.getWidgetData(resourceType)).thenReturn(null);
+ PortalRestResponse acutualPoratlRestResponse = dashboardSearchResultController
+ .getWidgetData(mockedRequest, resourceType);
+ assertEquals(expectedPortalRestResponse,acutualPoratlRestResponse);
+ }
+
@Test
public void saveWidgetDataBulkTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
commonWidgetMeta.setCategory("test");
- List<CommonWidget> commonWidgetList = new ArrayList<CommonWidget>();
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
CommonWidget commonWidget = new CommonWidget();
commonWidget.setId((long) 1);
commonWidget.setCategory("test");
assertEquals(actualPortalRestResponse, ecpectedPortalRestResponse);
}
+ @Test
+ public void saveWidgetDataBulkXSSTest() {
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
+ ecpectedPortalRestResponse.setMessage("ERROR");
+ ecpectedPortalRestResponse.setResponse("Category is not valid");
+ ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+
+ CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
+ commonWidgetMeta.setCategory("test");
+
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\"");
+ commonWidget.setTitle("test_title");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+
+ commonWidgetList.add(commonWidget);
+
+ commonWidgetMeta.setItems(commonWidgetList);
+
+ Mockito.when(searchService.saveWidgetDataBulk(commonWidgetMeta)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .saveWidgetDataBulk(commonWidgetMeta);
+ assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void saveWidgetDataBulkIfCategoryNullTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("java.text.ParseException: Unparseable date: \"1\"");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
commonWidgetMeta.setCategory("test");
- List<CommonWidget> commonWidgetList = new ArrayList<CommonWidget>();
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
CommonWidget commonWidget = new CommonWidget();
commonWidget.setId(null);
commonWidget.setCategory(null);
@Test
public void saveWidgetDataTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
}
+ @Test
+ public void saveWidgetDataXSSTest() {
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("ERROR");
+ expectedPortalRestResponse.setResponse("Category is not valid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\"");
+ commonWidget.setTitle("test_title");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+
+ Mockito.when(searchService.saveWidgetData(commonWidget)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .saveWidgetData(commonWidget);
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+
+ }
+
@Test
public void saveWidgetDataExceptionTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("ERROR");
- ecpectedPortalRestResponse.setResponse("Cateogry cannot be null or empty");
+ ecpectedPortalRestResponse.setResponse("Category cannot be null or empty");
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
CommonWidget commonWidget = new CommonWidget();
commonWidget.setId((long) 1);
@Test
public void saveWidgetDataDateErrorTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("java.text.ParseException: Unparseable date: \"1\"");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
}
+ @Test
public void deleteWidgetDataTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
assertEquals(actualPortalRestResponse, ecpectedPortalRestResponse);
}
+ @Test
+ public void deleteWidgetDataXSSTest() {
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("ERROR");
+ expectedPortalRestResponse.setResponse("CommonWidget is not valid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("test_href");
+ commonWidget.setTitle("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\"");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+ Mockito.when(searchService.deleteWidgetData(commonWidget)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .deleteWidgetData(commonWidget);
+
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void searchPortalIfUserIsNull() {
EPUser user = null;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = "test";
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("searchPortal: User object is null? - check logs");
- expectedResult.setResponse(new HashMap<String, List<SearchResultItem>>());
+ expectedResult.setResponse(new HashMap<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
PortalRestResponse<Map<String, List<SearchResultItem>>> actualResult = dashboardSearchResultController
.searchPortal(mockedRequest, searchString);
@Test
public void searchPortalIfSearchStringNullTest() {
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = null;
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("searchPortal: String string is null");
- expectedResult.setResponse(new HashMap<String, List<SearchResultItem>>());
+ expectedResult.setResponse(new HashMap<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
PortalRestResponse<Map<String, List<SearchResultItem>>> actualResult = dashboardSearchResultController
@Test
public void searchPortalIfSearchTest() {
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = "test";
- List<SearchResultItem> searchResultItemList = new ArrayList<SearchResultItem>();
+ List<SearchResultItem> searchResultItemList = new ArrayList<>();
SearchResultItem searchResultItem = new SearchResultItem();
searchResultItem.setId((long) 1);
searchResultItem.setTarget("test_target");
searchResultItem.setUuid("test_UUId");
searchResultItemList.add(searchResultItem);
- Map<String, List<SearchResultItem>> expectedResultMap = new HashMap<String, List<SearchResultItem>>();
+ Map<String, List<SearchResultItem>> expectedResultMap = new HashMap<>();
expectedResultMap.put(searchString, searchResultItemList);
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("success");
expectedResult.setResponse(expectedResultMap);
expectedResult.setStatus(PortalRestStatusEnum.OK);
@Test
public void searchPortalIfSearchExcptionTest() {
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = "test";
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("null - check logs.");
- expectedResult.setResponse(new HashMap<String, List<SearchResultItem>>());
+ expectedResult.setResponse(new HashMap<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
Mockito.when(searchService.searchResults(user.getLoginId(), searchString)).thenThrow(nullPointerException);
@Test
public void getActiveUsersTest() {
- List<String> expectedActiveUsers = new ArrayList<String>();
+ List<String> expectedActiveUsers = new ArrayList<>();
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String userId = user.getOrgUserId();
Mockito.when(searchService.getRelatedUsers(userId)).thenReturn(expectedActiveUsers);
@Test
public void getActiveUsersExceptionTest() {
- List<String> expectedActiveUsers = new ArrayList<String>();
+ List<String> expectedActiveUsers = new ArrayList<>();
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String userId = user.getOrgUserId();
public void activeUsersTest() {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
- PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<List<String>>();
+ PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("success");
expectedResult.setResponse(new ArrayList<>());
expectedResult.setStatus(PortalRestStatusEnum.OK);
public void activeUsersIfUserNullTest() {
EPUser user = null;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
- PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<List<String>>();
+ PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("User object is null? - check logs");
expectedResult.setResponse(new ArrayList<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
public void activeUsersExceptionTest() {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
- PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<List<String>>();
+ PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("null - check logs.");
expectedResult.setResponse(new ArrayList<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);